Solved Windows 2003 server hijacked-can't access control panel as admin

most recent kaspersky log part 1

OK cleaned the last bit, here is the most recent kaspersky...
-------------------------------------------------------------------------------
KASPERSKY ONLINE SCANNER REPORT
2007-11-19 09:53
Operating System: Microsoft Windows Server 2003, Standard Edition, Service Pack 2 (Build 3790)
Kaspersky Online Scanner version: 5.0.98.0
Kaspersky Anti-Virus database last update: 19/11/2007
Kaspersky Anti-Virus database records: 461543
-------------------------------------------------------------------------------

Scan Settings:
Scan using the following antivirus database: extended
Scan Archives: true
Scan Mail Bases: true

Scan Target - Folders:
C:\
E:\

Scan Statistics:
Total number of scanned objects: 201023
Number of viruses found: 18
Number of infected objects: 86
Number of suspicious objects: 7
Duration of the scan process: 02:58:25

Infected Object Name / Virus Name / Last Action

 

most recent kaspersky log part 2

Scan process completed.

 

The only infected items I see are in the Symantec quarantine folder.

C:\Documents and Settings\All Users\Application Data\Symantec\Symantec AntiVirus Corporate Edition\7.5\Quarantine

You can remove those via the Symantec control panel. Additionally, have all your clients empty their deleted items folders.

The computer appears clean now. Any other problems?

 

final update

Phenomenal! Thanks for all the help. I will clear the symantec quarantine and have everyone clear the deleted items as recommended. We had an issue where if you clicked on a hyperlink within an office product an error appeared stating that you don't have access to run the program, but a reset on the internet explorer settings under the administrator account appears to have cleared this for all users. Thanks again!

 

Glad I could help.

Dump that backup disk image now too. Then make a new one. With it, you could have total system failure, rebuild, re-image and apply backups in a fraction of the time it would normally take. Creating a fresh image on a clean working system on a regular basis will also cut down on the number of backup files to restore if needed. I know some folks that create an image before applying any Windows Updates. Not a bad idea to have one before a software installation either.

It's rare to see a server with this sort of infection. Do you have local users on the server surfing the web? If so, not the best policy IMO. Might want to lock it down and give em workstations to prevent this in the future.

 

Thank you!

Will do. We do have local users surfing the web and unfortunately we can't change that completely, but we can certainly lock it down more than it has been.

 

It's back

Same deal - can't find c:\documents, can't open control panel. Posting the current hijack this log:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 15:06, on 2007-11-28
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 SP2 (6.00.3790.3959)
Boot mode: Normal

Running processes:
C:\Documents and Settings\Administrator.65GW2003\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Dell\SysMgt\dataeng\bin\dsm_sa_eventmgr32.exe
C:\Program Files\Dell\SysMgt\dataeng\bin\dsm_sa_datamgr32.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Dell\SysMgt\sm\mr2kserv.exe
C:\Program Files\Dell\SysMgt\oma\bin\dsm_om_shrsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Dell\SysMgt\iws\bin\win32\dsm_om_connsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
e:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\Symantec\Backup Exec\RAWS\beremote.exe
C:\WINDOWS\System32\dmadmin.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
E:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
E:\Program Files\Sybase\SQL Anywhere 9\win32\dbisqlg.exe
E:\Program Files\Sybase\Shared\Sybase Central 4.3\win32\scjview.exe
C:\WINDOWS\system32\dllhost.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\winlogon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/dell/homepage/dellhome.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\dell\homepage\dellhome.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = C:\dell\homepage\dellhome.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://r.office.microsoft.com/r/rlidOfficeUpdate?clid=1033
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = jtpdial1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = secure.deyta.com
F2 - REG:system.ini: Shell=Explorer.exe C:\Documents and Settings\Administrator.65GW2003\WINDOWS\shell.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "E:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe "
O4 - HKLM\..\Run: [Printer] C:\WINDOWS\system32\printer.exe
O4 - HKCU\..\Run: [DBISQL9] "E:\Program Files\Sybase\SQL Anywhere 9\win32\dbisqlg.exe" -preload
O4 - HKCU\..\Run: [SybaseCentral43] "E:\Program Files\Sybase\Shared\Sybase Central 4.3\win32\scjview.exe" -preload
O4 - HKCU\..\Run: [Spoolsv] C:\WINDOWS\system32\spoolvs.exe
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O4 - S-1-5-18 Startup: findfast.exe (User 'SYSTEM')
O4 - .DEFAULT Startup: findfast.exe (User 'Default user')
O4 - Startup: findfast.exe
O4 - Global Startup: autorun.exe
O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1
O8 - Extra context menu item: Convert link target to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O10 - Broken Internet access because of LSP provider 'c:\documents and settings\administrator.65gw2003\windows\system32\winrnr.dll' missing
O15 - ESC Trusted Zone: http://rad.msn.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/wuweb_site.cab?1191889896244
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1191889888916
O16 - DPF: {8613571C-30D2-4BD4-9710-3DFDBADE8190} (AMI Pictorial Control CWeb 2.1 SPa05) - http://10.34.33.18/amI/install/amiviewer.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://join-test.webex.com/client/T25L/webex/ieatgpc.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://southeast.clio.medcity.net/dana-cached/setup/JuniperSetupSP1.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = 65GW2003.com
O17 - HKLM\Software\..\Telephony: DomainName = 65GW2003.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{5EEA7297-A00F-44F3-9D7E-F507B82D3E52}: NameServer = 10.10.1.70,10.10.1.72
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = 65GW2003.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{5EEA7297-A00F-44F3-9D7E-F507B82D3E52}: NameServer = 10.10.1.70,10.10.1.72
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = 65GW2003.com
O17 - HKLM\System\CS2\Services\Tcpip\..\{5EEA7297-A00F-44F3-9D7E-F507B82D3E52}: NameServer = 10.10.1.70,10.10.1.72
O23 - Service: Backup Exec Remote Agent for Windows Systems (BackupExecAgentAccelerator) - Symantec Corporation - C:\Program Files\Symantec\Backup Exec\RAWS\beremote.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DSM SA Event Manager (dcevt32) - Dell Inc. - C:\Program Files\Dell\SysMgt\dataeng\bin\dsm_sa_eventmgr32.exe
O23 - Service: DSM SA Data Manager (dcstor32) - Dell Inc. - C:\Program Files\Dell\SysMgt\dataeng\bin\dsm_sa_datamgr32.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: mr2kserv - LSI Logic Corporation - C:\Program Files\Dell\SysMgt\sm\mr2kserv.exe
O23 - Service: DSM SA Shared Services (omsad) - Dell Inc. - C:\Program Files\Dell\SysMgt\oma\bin\dsm_om_shrsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: DSM SA Connection Service (Server Administrator) - Unknown owner - C:\Program Files\Dell\SysMgt\iws\bin\win32\dsm_om_connsvc32.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - e:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 10456 bytes
I've tried to review this log but don't see anything that looks suspicious.
Assistance would be appreciated...again.

 

Grab a fresh copy of ComboFix from here or here, saving the file to your desktop.

Fix the following with HijackThis.

O7 - HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System, DisableRegedit=1

Disconnect all client sessions.

• Close all open programs and windows
• Double click combofix.exe and follow the prompts.
• When finished, it will open a log for you. Post that log and a new HijackThis log in your next reply.

Note: Do not mouseclick combofix's window while its running. That may cause it to stall

 

hijack this 11/29/07

OK here goes... The good thing is that I'm pretty sure I figured out who the offender was that started this and have made some progress in increasing the security. Thanks for the help!
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:00, on 2007-11-29
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 SP2 (6.00.3790.3959)
Boot mode: Normal

Running processes:

--
End of file - 9193 bytes

 

combofix log 11/29/07 Part 1

ComboFix 07-11-19.4C - Administrator 2007-11-29 21:05:33.3 - NTFSx86
Microsoft(R) Windows(R) Server 2003, Standard Edition 5.2.3790.2.1252.1.1033.18.3298 [GMT -5:00]
Running from: C:\Documents and Settings\Administrator.65GW2003\Desktop\ComboFix.exe
.

((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))
.

C:\Documents and Settings\All Users\Start Menu\Programs.\UltimateCleaner 2007
C:\Documents and Settings\All Users\Start Menu\Programs.\UltimateCleaner 2007\Register UltimateCleaner 2007.lnk
C:\Documents and Settings\All Users\Start Menu\Programs.\UltimateCleaner 2007\Start UltimateCleaner 2007.lnk
C:\Documents and Settings\All Users\Start Menu\Programs.\UltimateCleaner 2007\Uninstall UltimateCleaner 2007.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\UltimateCleaner 2007\Register UltimateCleaner 2007.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\UltimateCleaner 2007\Start UltimateCleaner 2007.lnk
C:\Documents and Settings\All Users\Start Menu\Programs\UltimateCleaner 2007\Uninstall UltimateCleaner 2007.lnk
C:\Documents and Settings\moreyd\Application Data\Ultimate Cleaner
C:\Documents and Settings\moreyd\Application Data\Ultimate Cleaner\settings.dat
C:\Program Files\Ultimate Cleaner
C:\Program Files\Ultimate Cleaner\com\ucsecuredelete.dll
C:\Program Files\Ultimate Cleaner\program.info
C:\Program Files\Ultimate Cleaner\ucleaner.pkg
C:\Program Files\Ultimate Cleaner\UltimateCleaner.db
C:\Program Files\Ultimate Cleaner\UltimateCleaner.exe
C:\Program Files\Ultimate Cleaner\Uninstall.exe

.
((((((((((((((((((((((((( Files Created from 2007-10-28 to 2007-11-30 )))))))))))))))))))))))))))))))
.

2007-11-29 09:13 <DIR> d---s---- C:\Documents and Settings\doucetm\UserData
2007-11-28 14:50 <DIR> d-------- C:\Documents and Settings\cumbees\WINDOWS
2007-11-28 14:50 <DIR> d-------- C:\Documents and Settings\cumbees\Application Data\Juniper Networks
2007-11-28 12:55 10,240 --------- C:\Program Files\spoolsv.exe
2007-11-27 15:54 <DIR> d-------- C:\Documents and Settings\chaplin-rouser\WINDOWS
2007-11-27 15:53 <DIR> d-------- C:\Documents and Settings\chaplin-rouser\Application Data\Juniper Networks
2007-11-27 15:52 <DIR> d-------- C:\Documents and Settings\mixtera\WINDOWS
2007-11-27 15:52 <DIR> d-------- C:\Documents and Settings\mixtera\Application Data\Juniper Networks
2007-11-26 13:56 <DIR> d---s---- C:\Documents and Settings\andersonp\UserData
2007-11-23 14:52 60,928 --------- C:\WINDOWS\c90m10se.exe
2007-11-23 14:52 60,928 --------- C:\WINDOWS\012o41bm.exe
2007-11-23 14:52 41,472 --------- C:\WINDOWS\system32\e404d.dll
2007-11-19 13:30 <DIR> d-------- C:\Documents and Settings\hoctest\WINDOWS
2007-11-19 13:30 <DIR> d-------- C:\Documents and Settings\hoctest\Application Data\Juniper Networks
2007-11-18 17:13 <DIR> d-------- C:\WINDOWS\system32\Kaspersky Lab
2007-11-18 17:13 <DIR> d-------- C:\Documents and Settings\All Users\Application Data\Kaspersky Lab
2007-11-17 14:26 <DIR> d---s---- C:\Documents and Settings\quinnja\UserData
2007-11-16 13:53 <DIR> d-------- C:\Documents and Settings\doucetm\WINDOWS
2007-11-16 13:53 <DIR> d-------- C:\Documents and Settings\doucetm\Application Data\Juniper Networks
2007-11-15 09:16 <DIR> d-------- C:\Program Files\Trend Micro
2007-11-03 13:34 <DIR> d---s---- C:\Documents and Settings\kinlochp\UserData
2007-11-02 13:42 <DIR> d-------- C:\Documents and Settings\johnsond\WINDOWS
2007-11-02 13:42 <DIR> d-------- C:\Documents and Settings\johnsond\Application Data\Juniper Networks
2007-11-02 08:34 <DIR> d---s---- C:\Documents and Settings\beattyt\UserData
2007-10-31 10:09 <DIR> d-------- C:\Documents and Settings\bauguessb\WebEx
2007-10-31 10:09 <DIR> d-------- C:\Documents and Settings\bauguessb\Application Data\webex
2007-10-31 07:26 <DIR> d-------- C:\WINDOWS\MPSReports
2007-10-31 06:37 143,458,672 --a------ C:\Temp\WindowsServer2003-KB933548-v1-x86-symbols-UPD-ENU.exe
2007-10-31 06:16 <DIR> d-------- C:\Program Files\Debugging Tools for Windows
2007-10-31 05:32 <DIR> d-------- C:\Temp\invcol
2007-10-30 17:03 162,457,456 --a------ C:\Temp\WindowsServer2003-KB933548-v1-x86-symbols-NRL-ENU.exe
2007-10-28 04:27 <DIR> d---s---- C:\Documents and Settings\malloym\UserData
2007-10-25 15:10 <DIR> d-------- C:\Documents and Settings\andersonp\WINDOWS
2007-10-25 15:10 <DIR> d-------- C:\Documents and Settings\andersonp\Application Data\Juniper Networks
2007-10-25 14:55 <DIR> d-------- C:\Documents and Settings\butlerd\WINDOWS
2007-10-25 14:55 <DIR> d-------- C:\Documents and Settings\butlerd\Application Data\Juniper Networks
2007-10-25 14:54 <DIR> d-------- C:\Documents and Settings\beattyt\WINDOWS
2007-10-25 14:54 <DIR> d-------- C:\Documents and Settings\beattyt\Application Data\Juniper Networks
2007-10-25 07:36 <DIR> d-------- C:\Documents and Settings\kinlochp\WINDOWS
2007-10-25 07:36 <DIR> d-------- C:\Documents and Settings\kinlochp\Application Data\Juniper Networks
2007-10-22 10:15 <DIR> d-------- C:\Documents and Settings\quinnja\Application Data\Juniper Networks
2007-10-21 13:30 <DIR> d-------- C:\Documents and Settings\kellya\Application Data\Juniper Networks
2007-10-18 20:52 <DIR> d-------- C:\Documents and Settings\Default User\Application Data\Juniper Networks
2007-10-18 10:24 <DIR> d-------- C:\Program Files\Microsoft CAPICOM 2.1.0.2
2007-10-18 10:20 1,265,664 --------- C:\WINDOWS\system32\dllcache\system.web.dll
2007-10-18 10:20 1,232,896 --------- C:\WINDOWS\system32\dllcache\sy52106.dll
2007-10-18 10:20 1,119,232 --a------ C:\WINDOWS\system32\msxml3.dll
2007-10-18 10:20 852,992 --a------ C:\WINDOWS\system32\dllcache\vgx.dll
2007-10-18 10:20 271,360 --------- C:\WINDOWS\system32\mscoree.dll
2007-10-18 10:20 258,048 --------- C:\WINDOWS\system32\dllcache\aspnet_isapi.dll
2007-10-18 10:20 118,784 --------- C:\WINDOWS\system32\dllcache\togac.exe
2007-10-18 10:20 106,496 --------- C:\WINDOWS\system32\dllcache\setregni.exe
2007-10-18 10:19 2,854,400 --a------ C:\WINDOWS\system32\msi.dll
2007-10-18 10:19 2,469,888 --------- C:\WINDOWS\system32\dllcache\ntkrnlmp.exe
2007-10-18 10:19 2,430,464 --------- C:\WINDOWS\system32\dllcache\ntoskrnl.exe
2007-10-18 10:19 2,321,408 --------- C:\WINDOWS\system32\dllcache\ntkrpamp.exe
2007-10-18 10:19 2,280,960 --------- C:\WINDOWS\system32\dllcache\ntkrnlpa.exe
2007-10-18 10:19 510,976 --------- C:\WINDOWS\system32\dllcache\wab32.dll
2007-10-17 09:55 <DIR> d-------- C:\Documents and Settings\hutchinsons\WebEx
2007-10-17 09:55 <DIR> d-------- C:\Documents and Settings\hutchinsons\Application Data\webex
2007-10-17 09:54 <DIR> d-------- C:\Documents and Settings\hiottb\WebEx
2007-10-17 09:54 <DIR> d-------- C:\Documents and Settings\hiottb\Application Data\webex
2007-10-16 19:19 6,656 --------- C:\WINDOWS\system32\BiosMsg.dll
2007-10-15 19:23 <DIR> d-------- C:\Documents and Settings\malloym\Application Data\Juniper Networks
2007-10-15 08:45 <DIR> d-------- C:\Documents and Settings\palazzom\Application Data\Juniper Networks
2007-10-15 08:44 <DIR> d-------- C:\Documents and Settings\palazzom\WINDOWS
2007-10-15 05:12 <DIR> d-------- C:\Documents and Settings\thomasg\Application Data\Juniper Networks
2007-10-12 11:11 <DIR> d-------- C:\Documents and Settings\hoctest2\Application Data\Juniper Networks
2007-10-11 18:05 50,176 -r------- C:\WINDOWS\system32\drivers\bxnd52x.sys
2007-10-11 18:05 36,352 -r------- C:\WINDOWS\system32\bxndcox.dll
2007-10-11 18:05 0 ---h----- C:\WINDOWS\system32\drivers\MsftWdf_Kernel_01005_Coinstaller_Critical.Wdf
2007-10-11 18:04 <DIR> d-------- C:\Program Files\Broadcom
2007-10-11 18:04 1,419,232 -r------- C:\WINDOWS\system32\wdfcoinstaller01005.dll
2007-10-11 18:04 385,536 -r------- C:\WINDOWS\system32\drivers\bxvbdx.sys
2007-10-11 09:28 <DIR> d---s---- C:\Documents and Settings\larsenp\UserData
2007-10-08 19:31 34,136 --------- C:\WINDOWS\system32\wucltui.dll.mui
2007-10-08 19:31 25,944 --------- C:\WINDOWS\system32\wuaucpl.cpl.mui
2007-10-08 19:31 25,944 --------- C:\WINDOWS\system32\wuapi.dll.mui
2007-10-08 19:31 20,312 --------- C:\WINDOWS\system32\wuaueng.dll.mui
2007-10-06 19:49 <DIR> d-------- C:\Documents and Settings\distadl\Application Data\Juniper Networks
2007-10-06 18:00 <DIR> d-------- C:\Documents and Settings\brightt\Application Data\Juniper Networks
2007-10-05 08:00 <DIR> d-------- C:\Documents and Settings\larsenp\WINDOWS
2007-10-05 08:00 <DIR> d-------- C:\Documents and Settings\larsenp\Application Data\Juniper Networks
2007-10-04 12:05 <DIR> d-------- C:\Documents and Settings\spitzj\WINDOWS
2007-10-04 12:05 <DIR> d-------- C:\Documents and Settings\spitzj\Application Data\Juniper Networks
2007-10-04 06:35 <DIR> d-------- C:\Documents and Settings\mastillonek\Application Data\Juniper Networks
2007-10-03 09:56 <DIR> d---s---- C:\Documents and Settings\creesed\UserData
2007-10-02 09:18 <DIR> d---s---- C:\Documents and Settings\buchheite\UserData
2007-10-02 06:20 <DIR> d-------- C:\Documents and Settings\wilburm\Application Data\Juniper Networks
2007-10-01 15:10 <DIR> d-------- C:\Documents and Settings\abbotts\Application Data\Juniper Networks
2007-10-01 12:36 <DIR> d-------- C:\Documents and Settings\65gsupport\WINDOWS
2007-10-01 12:36 <DIR> d-------- C:\Documents and Settings\65gsupport\Application Data\Juniper Networks

.
(((((((((((((((((((((((((((((((((((((((( Find3M Report ))))))))))))))))))))))))))))))))))))))))))))))))))))
.
2007-11-30 02:09 --------- d-----w C:\Program Files\Symantec AntiVirus
2007-10-31 13:47 --------- d--h--w C:\Program Files\InstallShield Installation Information
2007-10-31 13:47 --------- d-----w C:\Program Files\MEDITECH
2007-10-30 19:23 --------- d-----w C:\Documents and Settings\pooserv\Application Data\Juniper Networks
2007-10-17 14:54 202,826 ------w C:\WINDOWS\system32\atasnt40.dll
2007-09-30 16:54 --------- d-----w C:\Documents and Settings\klosda\Application Data\Juniper Networks
2007-09-28 15:33 --------- d-----w C:\Documents and Settings\greenmy\Application Data\Juniper Networks
2007-09-28 13:26 --------- d-----w C:\Documents and Settings\richardsonc\Application Data\Juniper Networks
2007-09-28 11:48 --------- d-----w C:\Documents and Settings\wixk\Application Data\Juniper Networks
2007-08-18 15:54 698,368 ----a-w C:\WINDOWS\system32\dllcache\urlmon.dll
2007-08-18 15:54 670,720 ----a-w C:\WINDOWS\system32\dllcache\wininet.dll
2007-08-18 15:54 3,132,416 ----a-w C:\WINDOWS\system32\dllcache\mshtml.dll
2007-08-18 15:54 209,920 ----a-w C:\WINDOWS\system32\dllcache\dxtrans.dll
2007-08-18 15:54 1,508,352 ----a-w C:\WINDOWS\system32\dllcache\shdocvw.dll
2007-08-18 15:54 1,033,216 ----a-w C:\WINDOWS\system32\dllcache\browseui.dll
2007-08-17 12:31 13,824 ------w C:\WINDOWS\system32\w03a3409.dll
2007-08-16 21:13 694,784 ------w C:\WINDOWS\system32\inetcomm.dll
2007-08-16 21:13 694,784 ------w C:\WINDOWS\system32\dllcache\inetcomm.dll
2007-08-01 19:11 5,984 ------w C:\WINDOWS\xhh1j8ol.exe
.

((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))))
.
.
*Note* empty entries & legit default entries are not shown

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"DBISQL9 "= "E:\Program Files\Sybase\SQL Anywhere 9\win32\dbisqlg.exe" [2006-06-01 14:34]
"SybaseCentral43 "= "E:\Program Files\Sybase\Shared\Sybase Central 4.3\win32\scjview.exe" [2006-05-19 15:12]

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ccApp "= "C:\Program Files\Common Files\Symantec Shared\ccApp.exe" [2004-02-29 16:44]
"vptray "= "C:\PROGRA~1\SYMANT~1\VPTray.exe" [2004-03-12 15:18]
"Acrobat Assistant 7.0 "= "E:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe" [2006-01-12 19:52]

[HKEY_USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\RunOnce]
"tscuninstall "= "C:\WINDOWS\system32\tscupgrd.exe" [2005-03-25 08:00]
"@ "=" " []
"O2k3ProfileSettings "= "E:\Program Files\ORKTools\ORK11\Tools\Profile Wizard\Proflwiz.exe" [2003-07-14 23:02]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\system]
"disablecad "= 0 (0x0)

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
"ShowSuperHidden "= 1 (0x1)

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\winlogon\notify\dimsntfy]
dimsntfy.dll 2007-02-17 09:02 19456 C:\WINDOWS\system32\dimsntfy.dll
C:\WINDOWS\system32\NavLogon.dll 2004-03-12 15:17 83176 C:\WINDOWS\system32\NavLogon.dll

[HKEY_LOCAL_MACHINE\system\currentcontrolset\control\lsa]
"Notification Packages "= RASSFM KDCSVC WDIGEST scecli

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-1197\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\LMALogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-1856\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-1858\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-1866\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-1870\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\LocalMap.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-1870\Scripts\Logon\1\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-2616\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\65GLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-2626\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\65GLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3450\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\65GLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3464\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3580\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3581\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3582\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3583\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3586\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3587\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3588\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3590\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3591\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3592\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3596\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3597\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3598\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3599\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3600\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3601\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3603\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3604\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3605\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3608\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3610\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\LocalMap.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3610\Scripts\Logon\1\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3611\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3612\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3615\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3616\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3617\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3619\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3620\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3621\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3622\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3623\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3624\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3625\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3626\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3627\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3628\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3629\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3630\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3631\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3632\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3633\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3634\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3635\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3637\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3638\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3639\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3640\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3641\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3642\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3643\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3644\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3646\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3647\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3649\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3651\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3652\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3653\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3654\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\LocalMap.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3654\Scripts\Logon\1\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3655\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3657\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3658\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3659\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

 

combofix log 11/29/07 Part 2

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3660\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3661\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3663\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3664\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3665\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3667\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3668\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3669\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3670\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3672\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3673\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3674\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3675\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3677\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3678\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3679\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3681\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3682\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3683\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3684\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3685\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3686\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3687\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3688\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3689\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3690\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3691\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\LocalMap.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3691\Scripts\Logon\1\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3692\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3693\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3695\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3696\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3697\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3699\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3700\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3701\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3702\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3703\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3704\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3705\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3706\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3708\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3709\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3710\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3711\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3712\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3713\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3714\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3715\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\LocalMap.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3715\Scripts\Logon\1\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3716\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3717\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3718\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3719\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3720\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3721\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3724\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3725\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3726\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3727\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3728\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3742\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCvsdataLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3742\Scripts\Logon\1\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3748\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3750\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3752\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3761\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3777\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCvsdataLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3777\Scripts\Logon\1\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3780\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCTailoredSystemsLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3780\Scripts\Logon\1\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3789\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\65GLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3800\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3801\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3840\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3926\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-3928\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4066\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4067\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4068\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4098\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4099\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4103\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4132\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4179\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4254\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4277\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4278\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4290\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4473\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4489\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4490\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4527\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-4566\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-5106\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-5107\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\group policy\state\S-1-5-21-2114191254-3386695089-3779284816-5168\Scripts\Logon\0\0]
"Script "=\\65GW2003.com\SysVol\65GW2003.com\scripts\HOCLogon.cmd

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\sacsvr]
@= "Service "

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SafeBoot\Minimal\wd.sys]
@= "Driver "

R0 b06bdrv;Broadcom NetXtreme II VBD;C:\WINDOWS\system32\DRIVERS\bxvbdx.sys
R0 crcdisk;CRC Disk Filter Driver;C:\WINDOWS\system32\DRIVERS\crcdisk.sys
R0 DfsDriver;DfsDriver;C:\WINDOWS\system32\drivers\Dfs.sys
R0 percsas;percsas;C:\WINDOWS\system32\DRIVERS\percsas.sys
R0 VSP;Volume Snapshot Provider;C:\WINDOWS\system32\DRIVERS\vsp.sys
R2 AeLookupSvc;Application Experience Lookup Service;C:\WINDOWS\system32\svchost.exe -k netsvcs
R2 BASFND;BASFND;\??\C:\Program Files\Broadcom\SNMP\BASFND.sys
R3 dcdbas;System Management Driver;C:\WINDOWS\system32\DRIVERS\dcdbas32.sys
R3 l2nd;Broadcom NetXtreme II BXND;C:\WINDOWS\system32\DRIVERS\bxnd52x.sys
S3 ati2mpad;ati2mpad;C:\WINDOWS\system32\DRIVERS\ati2mpad.sys
S3 Dfs;Distributed File System;C:\WINDOWS\system32\Dfssvc.exe
S3 NtFrs;File Replication;C:\WINDOWS\system32\ntfrs.exe
S3 RSoPProv;Resultant Set of Policy Provider;C:\WINDOWS\system32\RSoPProv.exe
S3 sacsvr;Special Administration Console Helper;C:\WINDOWS\System32\svchost.exe -k netsvcs
S3 vga;vga;C:\WINDOWS\system32\DRIVERS\vgapnp.sys
S3 WinHttpAutoProxySvc;WinHTTP Web Proxy Auto-Discovery Service;C:\WINDOWS\system32\svchost.exe -k LocalService
S3 WLBS;Network Load Balancing;C:\WINDOWS\system32\DRIVERS\wlbs.sys
S4 afcnt;afcnt;C:\WINDOWS\system32\DRIVERS\afcnt.sys
S4 AmdIde;AmdIde;C:\WINDOWS\system32\DRIVERS\amdide.sys
S4 arc;arc;C:\WINDOWS\system32\DRIVERS\arc.sys
S4 ClusDisk;Cluster Disk Driver;C:\WINDOWS\system32\DRIVERS\ClusDisk.sys
S4 cpqarry2;cpqarry2;C:\WINDOWS\system32\DRIVERS\cpqarry2.sys
S4 cpqcissm;cpqcissm;C:\WINDOWS\system32\DRIVERS\cpqcissm.sys
S4 cpqfcalm;cpqfcalm;C:\WINDOWS\system32\DRIVERS\cpqfcalm.sys
S4 dellcerc;dellcerc;C:\WINDOWS\system32\DRIVERS\dellcerc.sys
S4 hpcisss;hpcisss;C:\WINDOWS\system32\DRIVERS\hpcisss.sys
S4 hpt3xx;hpt3xx;C:\WINDOWS\system32\DRIVERS\hpt3xx.sys
S4 iirsp;iirsp;C:\WINDOWS\system32\DRIVERS\iirsp.sys
S4 ipsraidn;ipsraidn;C:\WINDOWS\system32\DRIVERS\ipsraidn.sys
S4 IsmServ;Intersite Messaging;C:\WINDOWS\System32\ismserv.exe
S4 kdc;Kerberos Key Distribution Center;C:\WINDOWS\System32\lsass.exe
S4 lp6nds35;lp6nds35;C:\WINDOWS\system32\DRIVERS\lp6nds35.sys
S4 nfrd960;nfrd960;C:\WINDOWS\system32\DRIVERS\nfrd960.sys
S4 ql2100;ql2100;C:\WINDOWS\system32\DRIVERS\ql2100.sys
S4 ql2200;ql2200;C:\WINDOWS\system32\DRIVERS\ql2200.sys
S4 ql2300;ql2300;C:\WINDOWS\system32\DRIVERS\ql2300.sys
S4 TrkSvr;Distributed Link Tracking Server;C:\WINDOWS\system32\svchost.exe -k netsvcs
S4 Tssdis;Terminal Services Session Directory;C:\WINDOWS\System32\tssdis.exe
S4 uliagpkx;Uli AGP Bus Filter;C:\WINDOWS\system32\DRIVERS\uliagpkx.sys

[HKEY_LOCAL_MACHINE\software\microsoft\windows nt\currentversion\svchost]
LocalService Alerter WebClient LmHosts W32Time WinHttpAutoProxySvc
NetworkService 6to4 DHCP DnsCache
WinErr ERsvc
DcomLaunch DcomLaunch
tapisrv Tapisrv
regsvc RemoteRegistry
swprv swprv
HPZ12 Pml Driver HPZ12 Net Driver HPZ12

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost - NetSvcs
AeLookupSvc
AppMgmt
AudioSrv
Browser
CryptSvc
DMServer
HidServ
LanmanServer
LanmanWorkstation
Messenger
Nla
NWCWorkstation
Sacsvr
Schedule
Seclogon
Themes
TrkWks
TrkSvr
Wmi
WmdmPmSp
winmgmt
xmlprov
BITS
wuauserv
ShellHWDetection
helpsvc


[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{36BBA8D2-CA5C-4847-81CC-4F807DD86C91}]
%SystemRoot%\system32\regsvr32.exe /s /n /i:IEUpdateUser urlmon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{6D69F546-C1AF-4049-AE9E-28627B91D3F5}]
%SystemRoot%\system32\regsvr32.exe /s /n /i:IEUpdateAdmin urlmon.dll

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1A7-37EF-4b3f-8CFC-4F3A74704073}]
%SystemRoot%\system32\rundll32.exe iesetup.dll,IEHardenAdmin

[HKEY_LOCAL_MACHINE\software\microsoft\active setup\installed components\{A509B1A8-37EF-4b3f-8CFC-4F3A74704073}]
%SystemRoot%\system32\rundll32.exe iesetup.dll,IEHardenUser
.
**************************************************************************

catchme 0.3.1262 W2K/XP/Vista - rootkit/stealth malware detector by Gmer, http://www.gmer.net
Rootkit scan 2007-11-29 21:10:37
Windows 5.2.3790 Service Pack 2 NTFS

scanning hidden processes ...

scanning hidden autostart entries ...

scanning hidden files ...

scan completed successfully
hidden files: 0

**************************************************************************
.
Completion time: 2007-11-29 21:11:16 - machine was rebooted
C:\ComboFix2.txt ... 2007-11-18 13:54
C:\ComboFix3.txt ... 2007-11-18 12:51
.
--- E O F ---

 

Looks as though the HijackThis log was created prior to running ComboFix. I need an after. Please scan again and post a new HJT log.

While I'm looking over the logs, this is not the normal location for the following file.

C:\Program Files\spoolsv.exe

Check it's properties please, and scan it at jotti. Let me know the results.

 

Please check this file as well.

C:\WINDOWS\xhh1j8ol.exe

 

Hijack This reposted

You are correct...sorry about that. This scan was run post combofix:
Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 08:22, on 2007-11-30
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 SP2 (6.00.3790.3959)
Boot mode: Normal

Running processes:
C:\Documents and Settings\Administrator.65GW2003\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Dell\SysMgt\dataeng\bin\dsm_sa_eventmgr32.exe
C:\Program Files\Dell\SysMgt\dataeng\bin\dsm_sa_datamgr32.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Dell\SysMgt\sm\mr2kserv.exe
C:\Program Files\Dell\SysMgt\oma\bin\dsm_om_shrsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\SavRoam.exe
C:\Program Files\Dell\SysMgt\iws\bin\win32\dsm_om_connsvc32.exe
C:\WINDOWS\System32\snmp.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
e:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\Symantec\Backup Exec\RAWS\beremote.exe
C:\WINDOWS\System32\dmadmin.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\PROGRA~1\SYMANT~1\VPTray.exe
E:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe
E:\Program Files\Sybase\SQL Anywhere 9\win32\dbisqlg.exe
E:\Program Files\Sybase\Shared\Sybase Central 4.3\win32\scjview.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\winlogon.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = file:///C:/dell/homepage/dellhome.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = C:\dell\homepage\dellhome.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = C:\dell\homepage\dellhome.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\system32\blank.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://r.office.microsoft.com/r/rlidOfficeUpdate?clid=1033
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyServer = jtpdial1:8080
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = secure.deyta.com
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,
O2 - BHO: Adobe PDF Reader Link Helper - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - E:\Program Files\Adobe\Acrobat 7.0\ActiveX\AcroIEHelper.dll
O2 - BHO: Adobe PDF Conversion Toolbar Helper - {AE7CD045-E861-484f-8273-0445EE161910} - E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe "
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\VPTray.exe
O4 - HKLM\..\Run: [Acrobat Assistant 7.0] "E:\Program Files\Adobe\Acrobat 7.0\Distillr\Acrotray.exe "
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKCU\..\Run: [DBISQL9] "E:\Program Files\Sybase\SQL Anywhere 9\win32\dbisqlg.exe" -preload
O4 - HKCU\..\Run: [SybaseCentral43] "E:\Program Files\Sybase\Shared\Sybase Central 4.3\win32\scjview.exe" -preload
O4 - HKUS\S-1-5-19\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'LOCAL SERVICE')
O4 - HKUS\S-1-5-20\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'NETWORK SERVICE')
O4 - HKUS\S-1-5-18\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'SYSTEM')
O4 - HKUS\.DEFAULT\..\RunOnce: [tscuninstall] %systemroot%\system32\tscupgrd.exe (User 'Default user')
O8 - Extra context menu item: Convert link target to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert link target to existing PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert selected links to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECaptureSelLinks.html
O8 - Extra context menu item: Convert selected links to existing PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppendSelLinks.html
O8 - Extra context menu item: Convert selection to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert selection to existing PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: Convert to Adobe PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIECapture.html
O8 - Extra context menu item: Convert to existing PDF - res://E:\Program Files\Adobe\Acrobat 7.0\Acrobat\AcroIEFavClient.dll/AcroIEAppend.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://E:\PROGRA~1\MICROS~1\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - E:\PROGRA~1\MICROS~1\OFFICE11\REFIEBAR.DLL
O10 - Broken Internet access because of LSP provider 'c:\documents and settings\administrator.65gw2003\windows\system32\winrnr.dll' missing
O15 - ESC Trusted Zone: http://rad.msn.com
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.com/kos/eng/partner/default/kavwebscan_unicode.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/wuweb_site.cab?1191889896244
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://www.update.microsoft.com/mic...ls/en/x86/client/muweb_site.cab?1191889888916
O16 - DPF: {8613571C-30D2-4BD4-9710-3DFDBADE8190} (AMI Pictorial Control CWeb 2.1 SPa05) - http://10.34.33.18/amI/install/amiviewer.cab
O16 - DPF: {E06E2E99-0AA1-11D4-ABA6-0060082AA75C} (GpcContainer Class) - https://join-test.webex.com/client/T25L/webex/ieatgpc.cab
O16 - DPF: {E5F5D008-DD2C-4D32-977D-1A0ADF03058B} (JuniperSetupSP1 Control) - https://southeast.clio.medcity.net/dana-cached/setup/JuniperSetupSP1.cab
O17 - HKLM\System\CCS\Services\Tcpip\Parameters: Domain = 65GW2003.com
O17 - HKLM\Software\..\Telephony: DomainName = 65GW2003.com
O17 - HKLM\System\CCS\Services\Tcpip\..\{5EEA7297-A00F-44F3-9D7E-F507B82D3E52}: NameServer = 10.10.1.70,10.10.1.72
O17 - HKLM\System\CS1\Services\Tcpip\Parameters: Domain = 65GW2003.com
O17 - HKLM\System\CS1\Services\Tcpip\..\{5EEA7297-A00F-44F3-9D7E-F507B82D3E52}: NameServer = 10.10.1.70,10.10.1.72
O17 - HKLM\System\CS2\Services\Tcpip\Parameters: Domain = 65GW2003.com
O17 - HKLM\System\CS2\Services\Tcpip\..\{5EEA7297-A00F-44F3-9D7E-F507B82D3E52}: NameServer = 10.10.1.70,10.10.1.72
O23 - Service: Backup Exec Remote Agent for Windows Systems (BackupExecAgentAccelerator) - Symantec Corporation - C:\Program Files\Symantec\Backup Exec\RAWS\beremote.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: DSM SA Event Manager (dcevt32) - Dell Inc. - C:\Program Files\Dell\SysMgt\dataeng\bin\dsm_sa_eventmgr32.exe
O23 - Service: DSM SA Data Manager (dcstor32) - Dell Inc. - C:\Program Files\Dell\SysMgt\dataeng\bin\dsm_sa_datamgr32.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: mr2kserv - LSI Logic Corporation - C:\Program Files\Dell\SysMgt\sm\mr2kserv.exe
O23 - Service: DSM SA Shared Services (omsad) - Dell Inc. - C:\Program Files\Dell\SysMgt\oma\bin\dsm_om_shrsvc32.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: DSM SA Connection Service (Server Administrator) - Unknown owner - C:\Program Files\Dell\SysMgt\iws\bin\win32\dsm_om_connsvc32.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
O23 - Service: VNC Server Version 4 (WinVNC4) - RealVNC Ltd. - e:\Program Files\RealVNC\VNC4\WinVNC4.exe

--
End of file - 9154 bytes

 

Questionable files

c:\program files\spoolsv.exe
Size: 10KB
Created: 11/28/2007 12:55
Mod: 11/28/2007 13:02
Access: 11/30/2007 9:01
Version: 1.0.0.1
Description: Module
Company: NoName Corp.
Orig. file name: nnc.exe
File: spoolsv.exe
Status: INFECTED/MALWARE
MD5: 38d6cdf6f01dbef2832c0e8ede745f8e
Packers detected: PE_PATCH.PECOMPACT, PECBUNDLE, PECOMPACT
Bit9 reports: File not found
Scan taken on 30 Nov 2007 14:26:08 (GMT)
A-Squared Found nothing
AntiVir Found TR/Downloader.Gen
ArcaVir Found Trojan.Downloader.Alphabet.Gen.10201.MX
Avast Found Win32:Small-FHL
AVG Antivirus Found Downloader.Generic6.VFQ
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found Trojan.Click.origin
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found Trojan-Downloader.Win32.Alphabet.gen
Fortinet Found nothing
Ikarus Found AdWare.BHO.Ihbo
Kaspersky Anti-Virus Found Trojan-Downloader.Win32.Alphabet.gen
NOD32 Found Win32/TrojanDownloader.Alphabet.NAE
Norman Virus Control Found W32/DLoader.EHHJ
Panda Antivirus Found nothing
Rising Antivirus Found nothing
Sophos Antivirus Found Troj/Nonaco-Gen
VirusBuster Found nothing
VBA32 Found Trojan-Downloader.Win32.Alphabet.gen


c:\windows\xhh1j80l.exe
Size: 5.84KB
Created: 1/8/2007 14:11
Mod: 1/8/2007 14:11
Access: 11/30/2007 9:04
no other info
Joti Results:
File: xhh1j8ol.exe
Status: POSSIBLY INFECTED/MALWARE (Note: this file was only classified as malware by scanners known to generate more false positives than the average scanner. Do not consider these results definately accurate. Also, because of this, results of this scan will not be recorded in the database.)
MD5: 939cf372617bf1c494297a74e1e17e59
Packers detected: -
Bit9 reports: No threat detected (more info)
You searched for
MD5: 939cf372617bf1c494297a74e1e17e59
Your hash has been found in 1 Package(s).
Scan taken on 30 Nov 2007 14:21:43 (GMT)
A-Squared Found nothing
AntiVir Found nothing
ArcaVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
CPsecure Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
F-Secure Anti-Virus Found nothing
Fortinet Found nothing
Ikarus Found Win32.SuspectCrc
Kaspersky Anti-Virus Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
Panda Antivirus Found nothing
Rising Antivirus Found nothing
Sophos Antivirus Found nothing
VirusBuster Found nothing
VBA32 Found nothing

 

My apologies ......... I forgot about putting together followup instructions. We probably should get a fresh dss log so we can see if there's anything new I need to include. This time, with dss on the desktop, paste the following command on the Start>Run line.

"%userprofile%\desktop\dss.exe" /config

When the dss interface opens, click Uncheck All. Select only the following items.

HijackThis
Drivers
Services
Files Created/Modified

Click Scan. maint.txt will open when the scan is complete. Post it's contents.


BTW, here's a link to dss.exe in case you need it.

 

DSS scan

Deckard's System Scanner v20071014.68
Run by Administrator on 2007-12-04 21:18:26
Computer is in Normal Mode.
--------------------------------------------------------------------------------

Backed up registry hives.



-- HijackThis (run as Administrator.exe) ---------------------------------------

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 21:19, on 2007-12-04
Platform: Windows 2003 SP2 (WinNT 5.02.3790)
MSIE: Internet Explorer v6.00 SP2 (6.00.3790.3959)
Boot mode: Normal

Running processes:

-- End of Deckard's System Scanner: finished at 2007-12-04 21:19:28 ------------

 

If you can delete the following files manually, there's no need to run ComboFix again.

C:\WINDOWS\012o41bm.exe
C:\WINDOWS\system32\e404d.dll
C:\WINDOWS\c90m10se.exe
C:\WINDOWS\ukf3z6de.exe


Did you already remove the files I had you submit for analysis? I don't see them in the dss log.

c:\program files\spoolsv.exe
c:\windows\xhh1j80l.exe


If you didn't, do so.

Then empty the recycle bin.

Let me know!

 

update 12-4-07 10:30PM

I was able to delete all files manually and clear the recycle bin! Thanks again,
Mary

 

That's great! Ready to tidy up and run an online scan, just to be sure?

Click Start>Run and type ComboFix /u then hit enter to remove ComboFix and it's quarantined files.

Delete dss.exe

You know the drill for Kaspersky WebScanner